terraform
config_error
ai_generated
true
Error: Output refers to sensitive values: output "db_password" depends on sensitive attribute "var.db_password"
ID: terraform/sensitive-variable-in-output
90%Fix Rate
88%Confidence
1Evidence
2024-05-12First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Terraform v1.5.0 | active | — | — | — |
| Terraform v1.6.0 | active | — | — | — |
| Terraform v1.7.0 | active | — | — | — |
Root Cause
An output value is derived from a sensitive variable or resource attribute without being explicitly marked as sensitive, causing a validation error.
generic中文
输出值来源于敏感变量或资源属性,但未显式标记为敏感,导致验证错误。
Official Documentation
https://developer.hashicorp.com/terraform/language/values/outputs#sensitive-outputsWorkarounds
-
95% success Mark the output as sensitive: `output "db_password" { value = var.db_password; sensitive = true }`
Mark the output as sensitive: `output "db_password" { value = var.db_password; sensitive = true }` -
80% success If the value is not truly sensitive, remove the `sensitive = true` from the variable and use `nonsensitive(var.db_password)` in the output.
If the value is not truly sensitive, remove the `sensitive = true` from the variable and use `nonsensitive(var.db_password)` in the output.
中文步骤
Mark the output as sensitive: `output "db_password" { value = var.db_password; sensitive = true }`If the value is not truly sensitive, remove the `sensitive = true` from the variable and use `nonsensitive(var.db_password)` in the output.
Dead Ends
Common approaches that don't work:
-
Remove the sensitive attribute from the variable definition
70% fail
The data is still sensitive; removing the attribute doesn't make it safe to expose.
-
Use nonsensitive() function in the output value
60% fail
nonsensitive() only works if the value is not truly sensitive; it may cause a runtime error if the source is sensitive.
-
Comment out the output block entirely
40% fail
This hides the value but doesn't fix the underlying dependency issue.